Latest news about information security threats and incidents

Prevention of security threats and incidents described below is wiser and cheaper than forensic investigations and mitigation of the consequences of a cyber attack. Use our services to find and mitigate your security vulnerabilities before the security threat agents find them.


Why the Georgia Cyber Center is Special

As state government technology leaders gathered in San Diego, California, last month for the National Association of State CIOs (NASCIO) Annual Conference, there were many hot issues on the minds of public and private sector executives. From the upcoming elections, to federal priorities, to state....

Posted on 18 November 2018 9:18 pm on securityboulevard.com


Fugue releases Risk Manager to ID cloud compliance violations

Fugue Risk Manager inspects cloud infrastructure environments and identifies resource configuration issues for common compliance regimes, including AWS CIS Benchmarks, NIST 800-53 Rev. 4, GDPR, HIPAA, and custom controls specified by the customer. Once violations are corrected and a known-good....

Posted on 18 November 2018 9:39 am on www.helpnetsecurity.com


Suspected Russian Hackers Impersonate State Department Aide (SecurityWeek)

WASHINGTON (AP) — U.S. cybersecurity experts say hackers impersonating a State Department official have targeted U.S. government agencies, businesses and think tanks in an attack that bears similarity to past campaigns linked to Russia. The "spear phishing" attempts began on Wednesday, sending....

Posted on 18 November 2018 5:20 am on www.securityweek.com


Popular Dark Web hosting provider got hacked, 6,500 sites down

Daniel's Hosting, one of the largest providers of Dark Web hosting services, was hacked this week and taken offline, ZDNet has learned from one of our readers. The hack took place on Thursday, November 15, according to Daniel Winzen, the software developer behind the hosting service.

Posted on 18 November 2018 12:38 am on www.zdnet.com


Cybaze ZLab- Yoroi team spotted a new variant of the APT28 Lojax rootkit

#1237170: Cybaze ZLab- Yoroi team spotted a new variant of the APT28 Lojax rootkit. Malware researchers at the Cybaze ZLab- Yoroi team spotted a new variant of the dangerous APT28 Lojax rootkit. A new variant of the infamous APT28 Lojax (aka Double-Agent) has been discovered by the Cybaze ZLab – Yoroi team.

Posted on 17 November 2018 11:40 am on brica.de


BlackBerry to buy cybersecurity firm Cylance for $1.4 bln

BlackBerry Ltd said on Friday it will acquire Cylance, an artificial intelligence and cybersecurity company, for $1.4 billion in cash. REUTERS November 17, 2018, 11:27 IST Canadian software maker BlackBerry Ltd said on Friday it will acquire , an artificial intelligence and cybersecurity company, for $1.

Posted on 17 November 2018 8:28 am on cio.economictimes.indiatimes.com


Europol, Diebold Nixdorf to Share Information on Cyber Threats

#1237159: Europol, Diebold Nixdorf to Share Information on Cyber Threats. Europol on Friday announced that it has signed a cybersecurity-focused memorandum of understanding (MoU) with Diebold Nixdorf, one of the world’s largest providers of ATM and point-of-sale (PoS) services.

Posted on 17 November 2018 8:09 am on brica.de


Russian APT comes back to life with new US spear-phishing campaign

A Russian state-sponsored cyber-espionage group has come back to life after a one-year period of inactivity with a relative large spear-phishing campaign that has targeted both the US government and private sector. The hacking group is known in infosec circles as Cozy Bear, APT29, The Dukes, or....

Posted on 17 November 2018 2:47 am on www.zdnet.com


Trump signs bill that creates the Cybersecurity and Infrastructure Security Agency

The bill, known as the CISA Act , reorganizes and rebrands the National Protection and Programs Directorate (NPPD), a program inside the Department of Homeland Security (DHS), as CISA, a standalone federal agency in charge of overseeing civilian and federal cybersecurity programs.

Posted on 16 November 2018 11:42 pm on www.zdnet.com


Report: Russia Has Access to UK Visa Processing

MOSCOW — Investigative group Bellingcat and Russian website The Insider are suggesting that Russian intelligence has infiltrated the computer infrastructure of a company that processes British visa applications. The investigation, published Friday, aims to show how two suspected Russian military....

Posted on 16 November 2018 9:40 pm on www.voanews.com


Exploring Emotet: Examining Emotet’s Activities, Infrastructure

#1237130: Exploring Emotet: Examining Emotet’s Activities, Infrastructure. Discovered by Trend Micro in 2014, the banking Trojan Emotet has been brought back to life by malware authors last year with its own spamming module that has allowed it to spread, target new industries and regions, and evade sandbox and malware analysis techniques.

Posted on 16 November 2018 9:35 pm on brica.de


Russian Banks Under Phishing Attack

Banks in Russia today were the target of a massive phishing campaign that aimed to deliver a tool used by the Silence group of hackers. The group is believed to have a background in legitimate infosec activities and access to documentation specific to the financial sector.

Posted on 16 November 2018 9:14 pm on www.bleepingcomputer.com


Virologist Tricked for Virus Attack on Debit Card, Loses Over Rs 1 Lakh

Debit card attacks made headlines again as a veteran virologist fall prey to one losing a sum of Rs 1,08,988 from his Citibank account. It was a week ago, the victim who was tricked over a call sought cybercrime police to file a complaint and an investigation was instigated, it was done as part of the bank’s probe into the cheating.

Posted on 16 November 2018 5:03 pm on www.ehackingnews.com


Winter Olympic Games hackers are back with an updated arsenal

The hacking team behind a cyberattack which impacted the Winter Olympic Games is back with an updated cache of droppers and hacking tools. This week, researchers from Check Point said that Hades, the advanced persistence threat (APT) group believed to be behind an attack this year levied against....

Posted on 16 November 2018 4:37 pm on www.zdnet.com


Vaporworms: New breed of self-propagating fileless malware to emerge in 2019 - Threat Brief

WatchGuard Technologies’ information security predictions for 2019 include the emergence of vaporworms, a new breed of fileless malware with wormlike properties to self-propagate through vulnerable systems, along with a takedown of the internet itself and ransomware targeting utilities and industrial control systems.

Posted on 16 November 2018 4:16 pm on threatbrief.com


IBM Security Bulletin: Rational Build Forge Security Advisory for Apache Tomcat and Apache HTTP Server (CVE-2018-11763; CVE-2018-11784)

Nov 16, 2018 8:04 am EST | High Severity Apache Tomcat and Apache HTTP Server have security vulnerabilities that allows a remote attacker to exploit the application. Respective security vulnerabilities are discussed in detail in the subsequent sections.

Posted on 16 November 2018 3:54 pm on www.ibm.com


Mozilla Firefox Monitor Will Now Alert You If You Visit Recently Hacked Websites

Mozilla’s has added another component to their PC Quantum Browser that shows a warning from Mozilla Firefox Monitor when visiting a site that recently had a data breach. It tends to be difficult to know whether and when you may have been affected by a data breach, yet not with Firefox Quantum.

Posted on 16 November 2018 1:59 pm on techincidents.com


Thai proposal for all-powerful cyber agency alarms businesses, activists

Civil liberties advocates, internet companies and business groups are protesting the planned legislation, saying it sacrifices privacy and the rule of law, according to interviews and documents reviewed by Reuters. The legislation, likely to gain approval by year-end, is the latest in a wave of new....

Posted on 16 November 2018 1:33 pm on www.reuters.com


Most ATMs can be hacked in under 20 minutes

#1237070: Most ATMs can be hacked in under 20 minutes. An extensive testing session carried out by bank security experts at Positive Technologies has revealed that most ATMs can be hacked in under 20 minutes, and even less, in certain types of attacks.

Posted on 16 November 2018 12:45 pm on brica.de


Online shoppers continue to engage in risky behavior

News and articles about cyber security, information security, vulnerabilities, exploits, patches, releases, software, features, hacks, laws, spam, viruses, malware, trojans. Online shoppers continue to engage in risky behavior. Findings from a new McAfee survey reveal the risky habits of online....

Posted on 16 November 2018 9:29 am on www.itsecuritynews.info


China's Hack Attacks: An Economic Espionage Campaign

Plus, MSSP Selection Tips; Analysis of Google Web Traffic Hijacking An analysis of China's surging hack attacks as part of an economic espionage campaign leads the latest edition of the ISMG Security Report. In this report, you'll hear (click on player beneath image to listen): Executive Editor....

Posted on 16 November 2018 9:01 am on www.databreachtoday.com


FireEye Expects New Cyber Security Challenges For 2019

experts predict threats to the aviation industry, continuing nation-state activity, rise in supply chain attacks and the widening cyber security skills gap in India in 2019. This year’s report includes a top-down view of the cyber security industry by FireEye senior leaders, including CEO Kevin....

Posted on 16 November 2018 8:22 am on www.cxotoday.com


Law firms are increasingly investing in cybersecurity programs

News and articles about cyber security, information security, vulnerabilities, exploits, patches, releases, software, features, hacks, laws, spam, viruses, malware, trojans. Law firms are increasingly investing in cybersecurity programs. Logicforce released the results of its most recent Law Firm....

Posted on 16 November 2018 7:43 am on www.itsecuritynews.info


EZShield launches Mobile Defense Suite

EZShield protects Personally Identifiable Information (PII) through the Mobile Defense Suite. “Mobile devices positively influence and impact our personal and business lives, but they are also a gateway to identity theft and corporate data breaches,” said Rich Scott, Chief Commercial Officer at EZShield + IdentityForce.

Posted on 16 November 2018 6:29 am on irishinfosecnews.wordpress.com


Dragos Announces $37M in Series B funding for ICS cybersecurity threat detection and response

News and articles about cyber security, information security, vulnerabilities, exploits, patches, releases, software, features, hacks, laws, spam, viruses, malware, trojans. Dragos Announces $37M in Series B funding for ICS cybersecurity threat detection and response. Dragos raised $37M in Series B funding.

Posted on 16 November 2018 5:58 am on www.itsecuritynews.info


Tripwire Enterprise now collects digital forensic data to support incident response

“Tripwire Enterprise monitors systems in real-time for changes that could be indicative of a breach,” said Tim Erlin, vice president of product management and strategy at Tripwire. “When a security breach is suspected, Tripwire Enterprise’s new Incident Response Rules can be used to collect in-depth....

Posted on 16 November 2018 5:00 am on www.helpnetsecurity.com


Singapore and the United States sign Declaration of Intent on Cybersecurity Technical Assistance Programme

16 Nov 2018. Ms Stephanie Syptak-Ramnath, Chargé d'Affaires, ad interim, United States Embassy in Singapore, and Mr David Koh, Chief Executive, Cyber Security Agency of Singapore, signed the Declaration of Intent to collaborate on a Singapore-US Cybersecurity Technical Assistance Programme.

Posted on 16 November 2018 4:26 am on www.csa.gov.sg


Japan cybersecurity and Olympics minister - "I've never used a computer"

Japan's recently appointed cybersecurity and Olympics minister has told parliament he has never used a computer in his life, though he is responsible for overseeing cybersecurity preparations for the 2020 Tokyo Summer Games. Yoshitaka Sakurada, 68, was named to the two posts last month by Prime....

Posted on 16 November 2018 3:49 am on www.itnews.com.au


7 Free (or Cheap) Ways to Increase Your Cybersecurity Knowledge

. Building cybersecurity skills is a must; paying a lot for the education is optional. Here are seven options for increasing knowledge without depleting a budget. Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication.

Posted on 16 November 2018 3:22 am on www.darkreading.com


Super Micro chief bean counter: Bloomberg's 'unwarranted hardware hacking article' has slowed our server sales (The Register)

Chinese Super Micro 'spy chip' story gets even more strange as everyone doubles down READ MORE Amazon, unsatisfied with the lack of retraction, reportedly pulled its fourth quarter ad spending with Bloomberg, which publishes the magazine Business Week as well as information terminals to traders.

Posted on 16 November 2018 2:54 am on www.theregister.co.uk


Siemens IEC 61850 System Configurator, DIGSI 5, DIGSI 4, SICAM PAS/PQS, SICAM PQ Analyzer, and SICAM SCC

Advisory Document

Posted on 13 November 2018 5:35 pm on ics-cert.us-cert.gov


Siemens S7-400 CPUs

Advisory Document

Posted on 13 November 2018 5:30 pm on ics-cert.us-cert.gov


Siemens SIMATIC Panels and SIMATIC WinCC (TIA Portal)

Advisory Document

Posted on 13 November 2018 5:25 pm on ics-cert.us-cert.gov


Siemens SCALANCE S

Advisory Document

Posted on 13 November 2018 5:20 pm on ics-cert.us-cert.gov


Siemens SIMATIC S7

Advisory Document

Posted on 13 November 2018 5:15 pm on ics-cert.us-cert.gov


Siemens SIMATIC STEP 7 (TIA Portal)

Advisory Document

Posted on 13 November 2018 5:10 pm on ics-cert.us-cert.gov


Siemens SIMATIC IT Production Suite

Advisory Document

Posted on 13 November 2018 5:05 pm on ics-cert.us-cert.gov


Siemens SIMATIC Panels

Advisory Document

Posted on 13 November 2018 5:00 pm on ics-cert.us-cert.gov


Philips iSite and IntelliSpace PACS

Advisory Document

Posted on 8 November 2018 4:31 pm on ics-cert.us-cert.gov


Roche Diagnostics Point of Care Handheld Medical Devices (Update A)

Advisory Document

Posted on 6 November 2018 6:08 pm on ics-cert.us-cert.gov


AVEVA InduSoft Web Studio and InTouch Edge HMI (formerly InTouch Machine Edition)

Advisory Document

Posted on 1 November 2018 4:15 pm on ics-cert.us-cert.gov


Schneider Electric Software Update (SESU) (Update A)

Advisory Document

Posted on 1 November 2018 4:10 pm on ics-cert.us-cert.gov


Circontrol CirCarLife

Advisory Document

Posted on 1 November 2018 4:05 pm on ics-cert.us-cert.gov


Fr. Sauter AG CASE Suite

Advisory Document

Posted on 1 November 2018 4:00 pm on ics-cert.us-cert.gov


PEPPERL+FUCHS CT50-Ex

Advisory Document

Posted on 30 October 2018 6:23 pm on ics-cert.us-cert.gov


GEOVAP Reliance 4 SCADA/HMI

Advisory Document

Posted on 25 October 2018 5:05 pm on ics-cert.us-cert.gov


Advantech WebAccess

Advisory Document

Posted on 25 October 2018 5:00 pm on ics-cert.us-cert.gov


Advantech WebAccess

Advisory Document

Posted on 23 October 2018 5:10 pm on ics-cert.us-cert.gov


GAIN Electronic Co. Ltd SAGA1-L Series

Advisory Document

Posted on 23 October 2018 5:05 pm on ics-cert.us-cert.gov


Telecrane F25 Series

Advisory Document

Posted on 23 October 2018 5:00 pm on ics-cert.us-cert.gov


AA18-284A: Publicly Available Tools Seen in Cyber Incidents Worldwide

Original release date: October 11, 2018 Summary This report is a collaborative research effort by the cyber security authorities of five nations: Australia, Canada, New Zealand, the United Kingdom, and the United States. [1] [2] [3] [4] [5] In it we highlight the use of five publicly available tools, which have been used for malicious purposes in recent cyber incidents around the world. The five tools are: Remote Access Trojan: JBiFrost Webshell: China Chopper Credential Stealer: Mimikatz Lateral Movement Framework: PowerShell Empire C2 Obfuscation and Exfiltration: HUC Packet Transmitter To aid the work of network defenders and systems administrators, we also provide advice on limiting the effectiveness of these tools and detecting their use on a network. The individual tools we cover in this report are limited examples of the types of tools used by threat actors. You should not consider this an exhaustive list when planning your network defense. Tools and techniques for exploiting networks and the data they hold are by no means the preserve of nation states or criminals on the dark web. Today, malicious tools with a variety of functions are widely and freely available for use by everyone from skilled penetration testers, hostile state actors and organized criminals, to amateur cyber criminals. The tools in this Activity Alert have been used to compromise information across a wide range of critical sectors, including health, finance, government, and defense. Their widespread availability presents a challenge for network defense and threat-actor attribution. Experience from all our countries makes it clear that, while cyber threat actors continue to develop their capabilities, they still make use of established tools and techniques. Even the most sophisticated threat actor groups use common, publicly available tools to achieve their objectives. Whatever these objectives may be, initial compromises of victim systems are often established through exploitation of common security weaknesses. Abuse of unpatched software vulnerabilities or poorly configured systems are common ways for a threat actor to gain access. The tools detailed in this Activity Alert come into play once a compromise has been achieved, enabling attackers to further their objectives within the victim’s systems. How to Use This Report The tools detailed in this Activity Alert fall into five categories: Remote Access Trojans (RATs), webshells, credential stealers, lateral movement frameworks, and command and control (C2) obfuscators. This Activity Alert provides an overview of the threat posed by each tool, along with insight into where and when it has been deployed by threat actors. Measures to aid detection and limit the effectiveness of each tool are also described. The Activity Alert concludes with general advice for improving network defense practices. Technical Details Remote Access Trojan: JBiFrost   First observed in May 2015, the JBiFrost RAT is a variant of the Adwind RAT, with roots stretching back to the Frutas RAT from 2012. A RAT is a program that, once installed on a victim’s machine, allows remote administrative control. In a malicious context, it can—among many other functions—be used to install backdoors and key loggers, take screen shots, and exfiltrate data. Malicious RATs can be difficult to detect because they are normally designed not to appear in lists of running programs and can mimic the behavior of legitimate applications. To prevent forensic analysis, RATs have been known to disable security measures (e.g., Task Manager) and network analysis tools (e.g., Wireshark) on the victim’s system. In Use JBiFrost RAT is typically employed by cyber criminals and low-skilled threat actors, but its capabilities could easily be adapted for use by state-sponsored threat actors. Other RATs are widely used by Advanced Persistent Threat (APT) actor groups, such as Adwind RAT, against the aerospace and defense sector; or Quasar RAT, by APT10, against a broad range of sectors. Threat actors have repeatedly compromised servers in our countries with the purpose of delivering malicious RATs to victims, either to gain remote access for further exploitation, or to steal valuable information such as banking credentials, intellectual property, or PII. Capabilities JBiFrost RAT is Java-based, cross-platform, and multifunctional. It poses a threat to several different operating systems, including Windows, Linux, MAC OS X, and Android. JBiFrost RAT allows threat actors to pivot and move laterally across a network or install additional malicious software. It is primarily delivered through emails as an attachment, usually an invoice notice, request for quotation, remittance notice, shipment notification, payment notice, or with a link to a file hosting service...

Posted on 11 October 2018 6:19 pm on www.us-cert.gov


TA18-276B: Advanced Persistent Threat Activity Exploiting Managed Service Providers

Original release date: October 03, 2018 Systems Affected Network Systems Overview The National Cybersecurity and Communications Integration Center (NCCIC) is aware of ongoing APT actor activity attempting to infiltrate the networks of global managed service providers (MSPs). Since May 2016, APT actors have used various tactics, techniques, and procedures (TTPs) for the purposes of cyber espionage and intellectual property theft. APT actors have targeted victims in several U.S. critical infrastructure sectors, including Information Technology (IT), Energy, Healthcare and Public Health, Communications, and Critical Manufacturing. This Technical Alert (TA) provides information and guidance to assist MSP customer network and system administrators with the detection of malicious activity on their networks and systems and the mitigation of associated risks. This TA includes an overview of TTPs used by APT actors in MSP network environments, recommended mitigation techniques, and information on reporting incidents. Description MSPs provide remote management of customer IT and end-user systems. The number of organizations using MSPs has grown significantly over recent years because MSPs allow their customers to scale and support their network environments at a lower cost than financing these resources internally. MSPs generally have direct and unfettered access to their customers’ networks, and may store customer data on their own internal infrastructure. By servicing a large number of customers, MSPs can achieve significant economies of scale. However, a compromise in one part of an MSP’s network can spread globally, affecting other customers and introducing risk. Using an MSP significantly increases an organization’s virtual enterprise infrastructure footprint and its number of privileged accounts, creating a larger attack surface for cyber criminals and nation-state actors. By using compromised legitimate MSP credentials (e.g., administration, domain, user), APT actors can move bidirectionally between an MSP and its customers’ shared networks. Bidirectional movement between networks allows APT actors to easily obfuscate detection measures and maintain a presence on victims’ networks. Note: NCCIC previously released information related to this activity in Alert TA17-117A: Intrusions Affecting Multiple Victims Across Multiple Sectors published on April 27, 2017, which includes indicators of compromise, signatures, suggested detection methods, and recommended mitigation techniques. Technical Details APT APT actors use a range of “living off the land” techniques to maintain anonymity while conducting their attacks. These techniques include using legitimate credentials and trusted off-the-shelf applications and pre-installed system tools present in MSP customer networks. Pre-installed system tools, such as command line scripts, are very common and used by system administrators for legitimate processes. Command line scripts are used to discover accounts and remote systems. PowerSploit is a repository of Microsoft PowerShell and Visual Basic scripts and uses system commands such as netsh . PowerSploit, originally developed as a legitimate penetration testing tool, is widely misused by APT actors. These scripts often cannot be blocked because they are legitimate tools, so APT actors can use them and remain undetected on victim networks. Although network defenders can generate log files, APT actors’ use of legitimate scripts makes it difficult to identify system anomalies and other malicious activity. When APT actors use system tools and common cloud services, it can also be difficult for network defenders to detect data exfiltration. APT actors have been observed using Robocopy—a Microsoft command line tool—to transfer exfiltrated and archived data from MSP client networks back through MSP network environments. Additionally, APT actors have been observed using legitimate PuTTY Secure Copy Client functions, allowing them to transfer stolen data securely and directly to third-party systems. Impact A successful network intrusion can have severe impacts to the affected organization, particularly if the compromise becomes public. Possible impacts include Temporary or permanent loss of sensitive or proprietary information, Disruption to regular operations, Financial losses to restore systems and files, and Potential harm to the organization’s reputation. Solution Detection Organizations should configure system logs to detect incidents and to identify the type and scope of malicious activity. Properly configured logs enable rapid containment and appropriate response. Response An organization’s ability to rapidly respond to and recover from an incident begins with the development of an incident response capability...

Posted on 3 October 2018 2:47 pm on www.us-cert.gov


TA18-276A: Using Rigorous Credential Control to Mitigate Trusted Network Exploitation

Original release date: October 03, 2018 Systems Affected Network Systems Overview This technical alert addresses the exploitation of trusted network relationships and the subsequent illicit use of legitimate credentials by Advanced Persistent Threat (APT) actors. It identifies APT actors' tactics, techniques, and procedures (TTPs) and describes the best practices that could be employed to mitigate each of them. The mitigations for each TTP are arranged according to the National Institute of Standards and Technology (NIST) Cybersecurity Framework core functions of Protect, Detect, Respond, and Recover. Description APT actors are using multiple mechanisms to acquire legitimate user credentials to exploit trusted network relationships in order to expand unauthorized access, maintain persistence, and exfiltrate data from targeted organizations. Suggested best practices for administrators to mitigate this threat include auditing credentials, remote-access logs, and controlling privileged access and remote access. Impact APT actors are conducting malicious activity against organizations that have trusted network relationships with potential targets, such as a parent company, a connected partner, or a contracted managed service provider (MSP). APT actors can use legitimate credentials to expand unauthorized access, maintain persistence, exfiltrate data, and conduct other operations, while appearing to be authorized users. Leveraging legitimate credentials to exploit trusted network relationships also allows APT actors to access other devices and other trusted networks, which affords intrusions a high level of persistence and stealth. Solution Recommended best practices for mitigating this threat include rigorous credential and privileged-access management, as well as remote-access control, and audits of legitimate remote-access logs. While these measures aim to prevent the initial attack vectors and the spread of malicious activity, there is no single proven threat response. Using a defense-in-depth strategy is likely to increase the odds of successfully disrupting adversarial objectives long enough to allow network defenders to detect and respond before the successful completion of a threat actor’s objectives. Any organization that uses an MSP to provide services should monitor the MSP's interactions within their organization’s enterprise networks, such as account use, privileges, and access to confidential or proprietary information. Organizations should also ensure that they have the ability to review their security and monitor their information hosted on MSP networks. APT TTPs and Corresponding Mitigations The following table displays the TTPs employed by APT actors and pairs them with mitigations that network defenders can implement. Table 1: APT TTPs and Mitigations APT TTPs Mitigations Preparation Allocate operational infrastructure, such as Internet Protocol addresses (IPs). Gather target credentials to use for legitimate access. Protect: Educate users to never click unsolicited links or open unsolicited attachments in emails. Implement an awareness and training program. Detect: Leverage multi-sourced threat-reputation services for files, Domain Name System (DNS), Uniform Resource Locators (URLs), IPs, and email addresses. Engagement Use legitimate remote access, such as virtual private networks (VPNs) and Remote Desktop Protocol (RDP). Leverage a trusted relationship between networks. Protect: Enable strong spam filters to prevent phishing emails from reaching end users. Authenticate inbound email using Sender Policy Framework; Domain-Based Message Authentication, Reporting and Conformance; and DomainKeys Identified Mail to prevent email spoofing. Prevent external access via RDP sessions and require VPN access. Enforce multi-factor authentication and account-lockout policies to defend against brute force attacks. Detect: Leverage multi-sourced threat-reputation services for files, DNS, URLs, IPs, and email addresses. Scan all incoming and outgoing emails to detect threats and filter out executables. Audit all remote authentications from trusted networks or service providers for anomalous activity. Respond and Recover: Reset credentials, including system accounts. Transition to multifactor authentication and reduce use of password-based systems, which are susceptible to credential theft, forgery, and reuse across multiple systems. Presence Execution and Internal Reconnaissance: Write to disk and execute malware and tools on hosts. Use interpreted scripts and run commands in shell to enumerate accounts, local network, operating system, software, and processes for internal reconnaissance...

Posted on 3 October 2018 2:00 pm on www.us-cert.gov


TA18-275A: HIDDEN COBRA – FASTCash Campaign

Original release date: October 02, 2018 | Last revised: October 08, 2018 Systems Affected Retail Payment Systems Overview This joint Technical Alert (TA) is the result of analytic efforts between the Department of Homeland Security (DHS), the Department of the Treasury (Treasury), and the Federal Bureau of Investigation (FBI). Working with U.S. government partners, DHS, Treasury, and FBI identified malware and other indicators of compromise (IOCs) used by the North Korean government in an Automated Teller Machine (ATM) cash-out scheme—referred to by the U.S. Government as “FASTCash.” The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA. For more information on HIDDEN COBRA activity, visit https://www.us-cert.gov/hiddencobra . FBI has high confidence that HIDDEN COBRA actors are using the IOCs listed in this report to maintain a presence on victims’ networks to enable network exploitation. DHS, FBI, and Treasury are distributing these IOCs to enable network defense and reduce exposure to North Korean government malicious cyber activity. This TA also includes suggested response actions to the IOCs provided, recommended mitigation techniques, and information on reporting incidents. If users or administrators detect activity associated with the malware families associated with FASTCash, they should immediately flag it, report it to the DHS National Cybersecurity and Communications Integration Center (NCCIC) or the FBI Cyber Watch (CyWatch), and give it the highest priority for enhanced mitigation. NCCIC conducted analysis on 10 malware samples related to this activity and produced a Malware Analysis Report (MAR). MAR-10201537 – HIDDEN COBRA FASTCash-Related Malware examines the tactics, techniques, and procedures observed in the malware. Visit the MAR-10201537 page for the report and associated IOCs. Description Since at least late 2016, HIDDEN COBRA actors have used FASTCash tactics to target banks in Africa and Asia. At the time of this TA’s publication, the U.S. Government has not confirmed any FASTCash incidents affecting institutions within the United States. FASTCash schemes remotely compromise payment switch application servers within banks to facilitate fraudulent transactions. The U.S. Government assesses that HIDDEN COBRA actors will continue to use FASTCash tactics to target retail payment systems vulnerable to remote exploitation. According to a trusted partner’s estimation, HIDDEN COBRA actors have stolen tens of millions of dollars. In one incident in 2017, HIDDEN COBRA actors enabled cash to be simultaneously withdrawn from ATMs located in over 30 different countries. In another incident in 2018, HIDDEN COBRA actors enabled cash to be simultaneously withdrawn from ATMs in 23 different countries.   HIDDEN COBRA actors target the retail payment system infrastructure within banks to enable fraudulent ATM cash withdrawals across national borders. HIDDEN COBRA actors have configured and deployed legitimate scripts on compromised switch application servers in order to intercept and reply to financial request messages with fraudulent but legitimate-looking affirmative response messages. Although the infection vector is unknown, all of the compromised switch application servers were running unsupported IBM Advanced Interactive eXecutive (AIX) operating system versions beyond the end of their service pack support dates; there is no evidence HIDDEN COBRA actors successfully exploited the AIX operating system in these incidents. HIDDEN COBRA actors exploited the targeted systems by using their knowledge of International Standards Organization (ISO) 8583—the standard for financial transaction messaging—and other tactics. HIDDEN COBRA actors most likely deployed ISO 8583 libraries on the targeted switch application servers. Malicious threat actors use these libraries to help interpret financial request messages and properly construct fraudulent financial response messages. Figure 1: Anatomy of a FASTCash scheme A review of log files showed HIDDEN COBRA actors making typos and actively correcting errors while configuring the targeted server for unauthorized activity. Based on analysis of the affected systems, analysts believe that the scripts —used by HIDDEN COBRA actors and explained in the Technical Details section below—inspected inbound financial request messages for specific primary account numbers (PANs). The scripts generated fraudulent financial response messages only for the request messages that matched the expected PANs. Most accounts used to initiate the transactions had minimal account activity or zero balances. Analysts believe HIDDEN COBRA actors blocked transaction messages to stop denial messages from leaving the switch and used a GenerateResponse* function to approve the transactions...

Posted on 2 October 2018 6:45 pm on www.us-cert.gov


TA18-201A: Emotet Malware

Original release date: July 20, 2018 Systems Affected Network Systems Overview Emotet is an advanced, modular banking Trojan that primarily functions as a downloader or dropper of other banking Trojans. Emotet continues to be among the most costly and destructive malware affecting state, local, tribal, and territorial (SLTT) governments, and the private and public sectors. This joint Technical Alert (TA) is the result of Multi-State Information Sharing & Analysis Center (MS-ISAC) analytic efforts, in coordination with the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC). Description Emotet continues to be among the most costly and destructive malware affecting SLTT governments. Its worm-like features result in rapidly spreading network-wide infection, which are difficult to combat. Emotet infections have cost SLTT governments up to $1 million per incident to remediate. Emotet is an advanced, modular banking Trojan that primarily functions as a downloader or dropper of other banking Trojans. Additionally, Emotet is a polymorphic banking Trojan that can evade typical signature-based detection. It has several methods for maintaining persistence, including auto-start registry keys and services. It uses modular Dynamic Link Libraries (DLLs) to continuously evolve and update its capabilities. Furthermore, Emotet is Virtual Machine-aware and can generate false indicators if run in a virtual environment. Emotet is disseminated through malspam (emails containing malicious attachments or links) that uses branding familiar to the recipient; it has even been spread using the MS-ISAC name. As of July 2018, the most recent campaigns imitate PayPal receipts, shipping notifications, or “past-due” invoices purportedly from MS-ISAC. Initial infection occurs when a user opens or clicks the malicious download link, PDF, or macro-enabled Microsoft Word document included in the malspam. Once downloaded, Emotet establishes persistence and attempts to propagate the local networks through incorporated spreader modules. Figure 1: Malicious email distributing Emotet Currently, Emotet uses five known spreader modules: NetPass.exe, WebBrowserPassView, Mail PassView, Outlook scraper, and a credential enumerator. NetPass.exe is a legitimate utility developed by NirSoft that recovers all network passwords stored on a system for the current logged-on user. This tool can also recover passwords stored in the credentials file of external drives. Outlook scraper is a tool that scrapes names and email addresses from the victim’s Outlook accounts and uses that information to send out additional phishing emails from the compromised accounts. WebBrowserPassView is a password recovery tool that captures passwords stored by Internet Explorer, Mozilla Firefox, Google Chrome, Safari, and Opera and passes them to the credential enumerator module. Mail PassView is a password recovery tool that reveals passwords and account details for various email clients such as Microsoft Outlook, Windows Mail, Mozilla Thunderbird, Hotmail, Yahoo! Mail, and Gmail and passes them to the credential enumerator module. Credential enumerator is a self-extracting RAR file containing two components: a bypass component and a service component. The bypass component is used for the enumeration of network resources and either finds writable share drives using Server Message Block (SMB) or tries to brute force user accounts, including the administrator account. Once an available system is found, Emotet writes the service component on the system, which writes Emotet onto the disk. Emotet’s access to SMB can result in the infection of entire domains (servers and clients). Figure 2: Emotet infection process To maintain persistence, Emotet injects code into explorer.exe and other running processes. It can also collect sensitive information, including system name, location, and operating system version, and connects to a remote command and control server (C2), usually through a generated 16-letter domain name that ends in “.eu.” Once Emotet establishes a connection with the C2, it reports a new infection, receives configuration data, downloads and runs files, receives instructions, and uploads data to the C2 server. Emotet artifacts are typically found in arbitrary paths located off of the AppData\Local and AppData\Roaming directories. The artifacts usually mimic the names of known executables. Persistence is typically maintained through Scheduled Tasks or via registry keys. Additionally, Emotet creates randomly-named files in the system root directories that are run as Windows services. When executed, these services attempt to propagate the malware to adjacent systems via accessible administrative shares. Note: it is essential that privileged accounts are not used to log in to compromised systems during remediation as this may accelerate the spread of the malware...

Posted on 21 July 2018 12:24 am on www.us-cert.gov


TA18-149A: HIDDEN COBRA – Joanap Backdoor Trojan and Brambul Server Message Block Worm

Original release date: May 29, 2018 | Last revised: May 31, 2018 Systems Affected Network systems Overview This joint Technical Alert (TA) is the result of analytic efforts between the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). Working with U.S. government partners, DHS and FBI identified Internet Protocol (IP) addresses and other indicators of compromise (IOCs) associated with two families of malware used by the North Korean government: a remote access tool (RAT), commonly known as Joanap; and a Server Message Block (SMB) worm, commonly known as Brambul. The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA. For more information on HIDDEN COBRA activity, visit https://www.us-cert.gov/hiddencobra . FBI has high confidence that HIDDEN COBRA actors are using the IP addresses—listed in this report’s IOC files—to maintain a presence on victims’ networks and enable network exploitation. DHS and FBI are distributing these IP addresses and other IOCs to enable network defense and reduce exposure to any North Korean government malicious cyber activity. This alert also includes suggested response actions to the IOCs provided, recommended mitigation techniques, and information on how to report incidents. If users or administrators detect activity associated with these malware families, they should immediately flag it, report it to the DHS National Cybersecurity and Communications Integration Center (NCCIC) or the FBI Cyber Watch (CyWatch), and give it the highest priority for enhanced mitigation. See the following links for a downloadable copy of IOCs: IOCs (.csv) IOCs (.stix) NCCIC conducted analysis on four malware samples and produced a Malware Analysis Report (MAR). MAR-10135536.3 – RAT/Worm examines the tactics, techniques, and procedures observed in the malware. Visit MAR-10135536.3 – HIDDEN COBRA RAT/Worm for the report and associated IOCs. Description According to reporting of trusted third parties, HIDDEN COBRA actors have likely been using both Joanap and Brambul malware since at least 2009 to target multiple victims globally and in the United States—including the media, aerospace, financial, and critical infrastructure sectors. Users and administrators should review the information related to Joanap and Brambul from the Operation Blockbuster Destructive Malware Report [1] in conjunction with the IP addresses listed in the .csv and .stix files provided within this alert. Like many of the families of malware used by HIDDEN COBRA actors, Joanap, Brambul, and other previously reported custom malware tools, may be found on compromised network nodes. Each malware tool has different purposes and functionalities. Joanap malware is a fully functional RAT that is able to receive multiple commands, which can be issued by HIDDEN COBRA actors remotely from a command and control server. Joanap typically infects a system as a file dropped by other HIDDEN COBRA malware, which users unknowingly downloaded either when they visit sites compromised by HIDDEN COBRA actors, or when they open malicious email attachments. During analysis of the infrastructure used by Joanap malware, the U.S. Government identified 87 compromised network nodes. The countries in which the infected IP addresses are registered are as follows: Argentina Belgium Brazil Cambodia China Colombia Egypt India Iran Jordan Pakistan Saudi Arabia Spain Sri Lanka Sweden Taiwan Tunisia Malware often infects servers and systems without the knowledge of system users and owners. If the malware can establish persistence, it could move laterally through a victim’s network and any connected networks to infect nodes beyond those identified in this alert. Brambul malware is a brute-force authentication worm that spreads through SMB shares. SMBs enable shared access to files between users on a network. Brambul malware typically spreads by using a list of hard-coded login credentials to launch a brute-force password attack against an SMB protocol for access to a victim’s networks. Technical Details Joanap Joanap is a two-stage malware used to establish peer-to-peer communications and to manage botnets designed to enable other operations. Joanap malware provides HIDDEN COBRA actors with the ability to exfiltrate data, drop and run secondary payloads, and initialize proxy communications on a compromised Windows device. Other notable functions include file management, process management, creation and deletion of directories, and node management. Analysis indicates the malware encodes data using Rivest Cipher 4 encryption to protect its communication with HIDDEN COBRA actors...

Posted on 29 May 2018 3:18 pm on www.us-cert.gov


TA18-145A: Cyber Actors Target Home and Office Routers and Networked Devices Worldwide

Original release date: May 25, 2018 | Last revised: June 07, 2018 Systems Affected Small office/home office (SOHO) routers Networked devices Network-attached storage (NAS) devices Overview Cybersecurity researchers have identified that foreign cyber actors have compromised hundreds of thousands of home and office routers and other networked devices worldwide [1]   [2] [3] . The actors used VPNFilter malware to target small office/home office (SOHO) routers. VPNFilter malware uses modular functionality to collect intelligence, exploit local area network (LAN) devices, and block actor-configurable network traffic. Specific characteristics of VPNFilter have only been observed in the BlackEnergy malware, specifically BlackEnergy versions 2 and 3. The Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) recommend that owners of SOHO routers power cycle (reboot) SOHO routers and networked devices to temporarily disrupt the malware. DHS and FBI encourage SOHO router owners to report information concerning suspicious or criminal activity to their local FBI field office or the FBI’s 24/7 Cyber Watch (CyWatch). Field office contacts can be identified at www.fbi.gov/contact-us/field . CyWatch can be contacted by phone at 855-292-3937 or by email at CyWatch@fbi.gov. Each submitted report should include as much informaiton as possible, specifically the date, time, location, type of activity, number of people, the type of equipment used for the activity, the name of the submitting company or organization, and a designated point of contact. Description The size and scope of this infrastructure impacted by VPNFilter malware is significant. The persistent VPNFilter malware linked to this infrastructure targets a variety of SOHO routers and network-attached storage devices. The initial exploit vector for this malware is currently unknown. The malware uses a modular functionality on SOHO routers to collect intelligence, exploit LAN devices, and block actor-configurable network traffic. The malware can render a device inoperable, and has destructive functionality across routers, network-attached storage devices, and central processing unit (CPU) architectures running embedded Linux. The command and control mechanism implemented by the malware uses a combination of secure sockets layer (SSL) with client-side certificates for authentication and TOR protocols, complicating network traffic detection and analysis. Impact Negative consequences of VPNFilter malware infection include: temporary or permanent loss of sensitive or proprietary information, disruption to regular operations, financial losses incurred to restore systems and files, and potential harm to an organization’s reputation. Solution DHS and FBI recommend that all SOHO router owners power cycle (reboot) their devices to temporarily disrupt the malware. Network device management interfaces—such as Telnet, SSH, Winbox, and HTTP—should be turned off for wide-area network (WAN) interfaces, and, when enabled, secured with strong passwords and encryption. Network devices should be upgraded to the latest available versions of firmware, which often contain patches for vulnerabilities. Rebooting affected devices will cause non-persistent portions of the malware to be removed from the system. Network defenders should ensure that first-stage malware is removed from the devices, and appropriate network-level blocking is in place prior to rebooting affected devices. This will ensure that second stage malware is not downloaded again after reboot. While the paths at each stage of the malware can vary across device platforms, processes running with the name "vpnfilter" are almost certainly instances of the second stage malware. Terminating these processes and removing associated processes and persistent files that execute the second stage malware would likely remove this malware from targeted devices. References [1] New VPNFilter malware targets at least 500K networking devices worldwide [2] Justice Department Announces Actions to Disrupt Advanced Persistent Threat 28 Botnet of Infected Routers and Network Storage [3] VPNFilter Update - VPNFilter exploits endpoints, targets new devices Revision History May 25, 2018: Initial Version June 7, 2018: Added link to June 6, 2018 Cisco Talos blog update on VPNFilter This product is provided subject to this Notification and this Privacy & Use policy.

Posted on 25 May 2018 9:22 pm on www.us-cert.gov


TA18-141A: Side-Channel Vulnerability Variants 3a and 4

Original release date: May 21, 2018 | Last revised: May 22, 2018 Systems Affected CPU hardware implementations Overview On May 21, 2018, new variants of the side-channel central processing unit (CPU) hardware vulnerabilities known as Spectre and Meltdown were publicly disclosed . These variants—known as 3A and 4—can allow an attacker to obtain access to sensitive information on affected systems. Description Common CPU hardware implementations are vulnerable to the side-channel attacks known as Spectre and Meltdown. Meltdown is a bug that "melts" the security boundaries normally enforced by the hardware, affecting desktops, laptops, and cloud computers. Spectre is a flaw that an attacker can exploit to force a CPU to reveal its data. Variant 3a is a vulnerability that may allow an attacker with local access to speculatively read system parameters via side-channel analysis and obtain sensitive information. Variant 4 is a vulnerability that exploits “speculative bypass.” When exploited, Variant 4 could allow an attacker to read older memory values in a CPU’s stack or other memory locations. While implementation is complex, this side-channel vulnerability could allow less privileged code to Read arbitrary privileged data; and Run older commands speculatively, resulting in cache allocations that could be used to exfiltrate data by standard side-channel methods. Corresponding CVEs for Side-Channel Variants 1, 2, 3, 3a, and 4 are found below: Variant 1: Bounds Check Bypass – CVE-2017-5753 Variant 2: Branch Target Injection – CVE-2017-5715 Variant 3: Rogue Data Cache Load – CVE-2017-5754 Variant 3a: Rogue System Register Read – CVE-2018-3640   Variant 4: Speculative Store Bypass – CVE-2018-3639 Impact Side-Channel Vulnerability Variants 3a and 4 may allow an attacker to obtain access to sensitive information on affected systems. Solution Mitigation NCCIC recommends users and administrators Refer to their hardware and software vendors for patches or microcode, Use a test environment to verify each patch before implementing, and Ensure that performance is monitored for critical applications and services. Consult with vendors and service providers to mitigate any degradation effects, if possible. Consult with Cloud Service Providers to mitigate and resolve any impacts resulting from host operating system patching and mandatory rebooting, if applicable. The following table contains links to advisories and patches published in response to the vulnerabilities. This table will be updated as information becomes available. Link to Vendor Information Date Added AMD May 21, 2018 ARM May 21, 2018 Intel May 22, 2018 Microsoft May 21, 2018 Redhat May 21, 2018 References Google Project Zero Blog Bounds Check Bypass – CVE-2017-5753 Branch Target Injection – CVE-2017-5715 Rogue Data Cache Load – CVE-2017-5754 Rogue System Register Read – CVE-2018-3640 Speculative Store Bypass – CVE-2018-3639 TA18-004A – Meltdown and Spectre Side-Channel Vulnerability Guidance Revision History May 21, 2018: Initial version May 22, 2018: Added information and link to Intel in table This product is provided subject to this Notification and this Privacy & Use policy.

Posted on 21 May 2018 11:54 pm on www.us-cert.gov


TA18-106A: Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices

Original release date: April 16, 2018 | Last revised: April 20, 2018 Systems Affected Generic Routing Encapsulation (GRE) Enabled Devices Cisco Smart Install (SMI) Enabled Devices Simple Network Management Protocol (SNMP) Enabled Network Devices Overview Update: On April 19, 2018, an industry partner notified NCCIC and the FBI of malicious cyber activity that aligns with the techniques, tactics, and procedures (TTPs) and network indicators listed in this Alert. Specifically, the industry partner reported the actors redirected DNS queries to their own infrastructure by creating GRE tunnels and obtained sensitive information, which include the configuration files of networked devices. NCCIC encourages organizations to use the detection and prevention guidelines outlined in this Alert to help defend against this activity. For instance, administrators should inspect the presence of protocol 47 traffic flowing to or from unexpected addresses, or unexplained presence of GRE tunnel creation, modification, or destruction in log files. Original Post: This joint Technical Alert (TA) is the result of analytic efforts between the Department of Homeland Security (DHS), the Federal Bureau of Investigation (FBI), and the United Kingdom’s National Cyber Security Centre (NCSC). This TA provides information on the worldwide cyber exploitation of network infrastructure devices (e.g., router, switch, firewall, Network-based Intrusion Detection System (NIDS) devices) by Russian state-sponsored cyber actors. Targets are primarily government and private-sector organizations, critical infrastructure providers, and the Internet service providers (ISPs) supporting these sectors. This report contains technical details on the tactics, techniques, and procedures (TTPs) used by Russian state-sponsored cyber actors to compromise victims. Victims were identified through a coordinated series of actions between U.S. and international partners. This report builds on previous DHS reporting and advisories from the United Kingdom, Australia, and the European Union. [1-5] This report contains indicators of compromise (IOCs) and contextual information regarding observed behaviors on the networks of compromised victims. FBI has high confidence that Russian state-sponsored cyber actors are using compromised routers to conduct man-in-the-middle attacks to support espionage, extract intellectual property, maintain persistent access to victim networks, and potentially lay a foundation for future offensive operations. DHS, FBI, and NCSC urge readers to act on past alerts and advisories issued by the U.S. and U.K. Governments, allied governments, network device manufacturers, and private-sector security organizations. Elements from these alerts and advisories have been selected and disseminated in a wide variety of security news outlets and social media platforms. The current state of U.S. network devices—coupled with a Russian government campaign to exploit these devices—threatens the safety, security, and economic well-being of the United States. The purpose of this TA is to inform network device vendors, ISPs, public-sector organizations, private-sector corporations, and small office home office (SOHO) customers about the Russian government campaign, provide information to identify malicious activity, and reduce exposure to this activity. For a downloadable copy of the IOC package, see TA18-106A_TLP_WHITE.stix.xml . Description Since 2015, the U.S. Government received information from multiple sources—including private and public sector cybersecurity research organizations and allies—that cyber actors are exploiting large numbers of enterprise-class and SOHO/residential routers and switches worldwide. The U.S. Government assesses that cyber actors supported by the Russian government carried out this worldwide campaign. These operations enable espionage and intellectual property theft that supports the Russian Federation’s national security and economic goals. Legacy Protocols and Poor Security Practice Russian cyber actors leverage a number of legacy or weak protocols and service ports associated with network administration activities. Cyber actors use these weaknesses to identify vulnerable devices; extract device configurations; map internal network architectures; harvest login credentials; masquerade as privileged users; modify device firmware, operating systems, configurations; and copy or redirect victim traffic through Russian cyber-actor-controlled infrastructure. Additionally, Russian cyber actors could potentially modify or deny traffic traversing through the router. Russian cyber actors do not need to leverage zero-day vulnerabilities or install malware to exploit these devices. Instead, cyber actors take advantage of the following vulnerabilities: devices with legacy unencrypted protocols or unauthenticated services, devices insufficiently hardened before installation, and devices no longer supported with security patches by manufacturers or vendors (end-of-life devices)...

Posted on 16 April 2018 8:25 pm on www.us-cert.gov


TA18-086A: Brute Force Attacks Conducted by Cyber Actors

Original release date: March 27, 2018 | Last revised: March 28, 2018 Systems Affected Networked systems Overview According to information derived from FBI investigations, malicious cyber actors are increasingly using a style of brute force attack known as password spraying against organizations in the United States and abroad. On February 2018, the Department of Justice in the Southern District of New York, indicted nine Iranian nationals, who were associated with the Mabna Institute, for computer intrusion offenses related to activity described in this report. The techniques and activity described herein, while characteristic of Mabna actors, are not limited solely to use by this group. The Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) are releasing this Alert to provide further information on this activity. Description In a traditional brute-force attack, a malicious actor attempts to gain unauthorized access to a single account by guessing the password. This can quickly result in a targeted account getting locked-out, as commonly used account-lockout policies allow three to five bad attempts during a set period of time. During a password-spray attack (also known as the “low-and-slow” method), the malicious actor attempts a single password against many accounts before moving on to attempt a second password, and so on. This technique allows the actor to remain undetected by avoiding rapid or frequent account lockouts. Password spray campaigns typically target single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols. An actor may target this specific protocol because federated authentication can help mask malicious traffic. Additionally, by targeting SSO applications, malicious actors hope to maximize access to intellectual property during a successful compromise.  Email applications are also targeted. In those instances, malicious actors would have the ability to utilize inbox synchronization to (1) obtain unauthorized access to the organization's email directly from the cloud, (2) subsequently download user mail to locally stored email files, (3) identify the entire company’s email address list, and/or (4) surreptitiously implements inbox rules for the forwarding of sent and received messages. Technical Details Traditional tactics, techniques, and procedures (TTPs) for conducting the password-spray attacks are as follows: Using social engineering tactics to perform online research (i.e., Google search, LinkedIn, etc.) to identify target organizations and specific user accounts for initial password spray Using easy-to-guess passwords (e.g., “Winter2018”, “Password123!”) and publicly available tools, execute a password spray attack against targeted accounts by utilizing the identified SSO or web-based application and federated authentication method Leveraging the initial group of compromised accounts, downloading the Global Address List (GAL) from a target’s email client, and performing a larger password spray against legitimate accounts Using the compromised access, attempting to expand laterally (e.g., via Remote Desktop Protocol) within the network, and performing mass data exfiltration using File Transfer Protocol tools such as FileZilla Indicators of a password spray attack include: A massive spike in attempted logons against the enterprise SSO portal or web-based application; Using automated tools, malicious actors attempt thousands of logons, in rapid succession, against multiple user accounts at a victim enterprise, originating from a single IP address and computer (e.g., a common User Agent String). Attacks have been seen to run for over two hours. Employee logons from IP addresses resolving to locations inconsistent with their normal locations. Typical Victim Environment The vast majority of known password spray victims share some of the following characteristics [1] [2] : Use SSO or web-based applications with federated authentication method Lack multifactor authentication (MFA) Allow easy-to-guess passwords (e.g., “Winter2018”, “Password123!”) Use inbox synchronization, allowing email to be pulled from cloud environments to remote devices Allow email forwarding to be setup at the user level Limited logging setup creating difficulty during post-event investigations Impact A successful network intrusion can have severe impacts, particularly if the compromise becomes public and sensitive information is exposed. Possible impacts include: Temporary or permanent loss of sensitive or proprietary information; Disruption to regular operations; Financial losses incurred to restore systems and files; and Potential harm to an organization’s reputation...

Posted on 28 March 2018 1:00 am on www.us-cert.gov